syzbot


KASAN: out-of-bounds Read in stack_not_used

Status: moderation: reported on 2024/10/26 19:39
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+03c60de2a8c5c5092000@syzkaller.appspotmail.com
First crash: 45d, last: 45d

Sample crash report:
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f28c044dfb0 R14: 0000000020000080 R15: 00007f28c1ae13f0
 </TASK>
task:modprobe        state:R  running task    
==================================================================
BUG: KASAN: out-of-bounds in stack_not_used+0x85/0x90 kernel/exit.c:791
Read of size 8 at addr ffffc9000fa066a8 by task syslogd/2530

CPU: 0 UID: 0 PID: 2530 Comm: syslogd Not tainted 6.12.0-rc4-syzkaller-00052-gc6d9e43954bf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 stack_not_used+0x85/0x90 kernel/exit.c:791
 sched_show_task kernel/sched/core.c:7591 [inline]
 sched_show_task+0x23a/0x5f0 kernel/sched/core.c:7579
 show_state_filter+0xee/0x320 kernel/sched/core.c:7649
 k_spec drivers/tty/vt/keyboard.c:667 [inline]
 k_spec+0xed/0x150 drivers/tty/vt/keyboard.c:656
 kbd_keycode drivers/tty/vt/keyboard.c:1522 [inline]
 kbd_event+0xcbd/0x17a0 drivers/tty/vt/keyboard.c:1541
 input_handler_events_default+0x116/0x1b0 drivers/input/input.c:2549
 input_pass_values+0x777/0x8e0 drivers/input/input.c:126
 input_event_dispose drivers/input/input.c:352 [inline]
 input_handle_event+0xb30/0x14d0 drivers/input/input.c:369
 input_event drivers/input/input.c:398 [inline]
 input_event+0x83/0xa0 drivers/input/input.c:390
 hidinput_hid_event+0xa12/0x2410 drivers/hid/hid-input.c:1719
 hid_process_event+0x4b7/0x5e0 drivers/hid/hid-core.c:1540
 hid_input_array_field+0x535/0x710 drivers/hid/hid-core.c:1652
 hid_process_report drivers/hid/hid-core.c:1694 [inline]
 hid_report_raw_event+0xa02/0x11c0 drivers/hid/hid-core.c:2040
 __hid_input_report.constprop.0+0x341/0x440 drivers/hid/hid-core.c:2110
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:285
 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x17f0/0x3930 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1691 [inline]
 __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1755
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1772
 handle_softirqs+0x206/0x8d0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0xac/0x110 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_is_held_type+0x107/0x150 kernel/locking/lockdep.c:5902
Code: 00 00 b8 ff ff ff ff 65 0f c1 05 0c eb 13 79 83 f8 01 75 2d 9c 58 f6 c4 02 75 43 48 f7 04 24 00 02 00 00 74 01 fb 48 83 c4 08 <44> 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 45 31 ed eb
RSP: 0018:ffffc9000173fba8 EFLAGS: 00000282
RAX: 0000000000000046 RBX: 1ffff920002e7f7e RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8727f520 RDI: ffffffff8746ebc0
RBP: ffffffff88ebb080 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000000 R12: ffff8881156e8000
R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000
 lock_is_held include/linux/lockdep.h:249 [inline]
 __might_resched+0x4ca/0x5e0 kernel/sched/core.c:8615
 __inode_security_revalidate security/selinux/hooks.c:283 [inline]
 inode_security+0x5b/0x130 security/selinux/hooks.c:325
 selinux_file_permission+0x145/0x580 security/selinux/hooks.c:3635
 security_file_permission+0x3e/0x80 security/security.c:2841
 rw_verify_area+0xaf/0x200 fs/read_write.c:470
 vfs_write+0x136/0x1140 fs/read_write.c:674
 ksys_write+0x12f/0x260 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa4ff6f2bf2
Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fffa7277678 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa4ff6f2bf2
RDX: 000000000000005b RSI: 0000563dd33a2600 RDI: 0000000000000003
RBP: 0000563dd33a2600 R08: 0000000000000001 R09: 0000000000000000
R10: 00007fa4ff8913a3 R11: 0000000000000246 R12: 000000000000005b
R13: 00007fa4ff59e300 R14: 0000000000000006 R15: 0000563dd33a2410
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc9000fa00000, ffffc9000fa09000) created by:
 kernel_clone+0xfd/0x960 kernel/fork.c:2784

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810cf7dee0 pfn:0x10cf7d
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88810cf7dee0 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 13412, tgid 13412 (kworker/u8:3), ts 1416405080032, free_ts 1414018040038
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0xd5c/0x2630 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x221/0x2270 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0xeb/0x400 mm/mempolicy.c:2265
 vm_area_alloc_pages mm/vmalloc.c:3568 [inline]
 __vmalloc_area_node mm/vmalloc.c:3646 [inline]
 __vmalloc_node_range_noprof+0x724/0x15a0 mm/vmalloc.c:3828
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct kernel/fork.c:1115 [inline]
 copy_process+0x2e41/0x91e0 kernel/fork.c:2203
 kernel_clone+0xfd/0x960 kernel/fork.c:2784
 user_mode_thread+0xb4/0xf0 kernel/fork.c:2862
 call_usermodehelper_exec_sync kernel/umh.c:133 [inline]
 call_usermodehelper_exec_work+0x6b/0x170 kernel/umh.c:164
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 17485 tgid 17485 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_folios+0x8a5/0x1170 mm/page_alloc.c:2686
 folios_put_refs+0x363/0x4d0 mm/swap.c:1007
 free_pages_and_swap_cache+0x45f/0x510 mm/swap_state.c:335
 __tlb_batch_free_encoded_pages+0xf9/0x290 mm/mmu_gather.c:136
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu mm/mmu_gather.c:373 [inline]
 tlb_finish_mmu+0x168/0x7b0 mm/mmu_gather.c:465
 exit_mmap+0x3df/0xb30 mm/mmap.c:1887
 __mmput kernel/fork.c:1347 [inline]
 mmput+0xdb/0x3e0 kernel/fork.c:1369
 exit_mm kernel/exit.c:571 [inline]
 do_exit+0x9bf/0x2ce0 kernel/exit.c:926
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1088
 __do_sys_exit_group kernel/exit.c:1099 [inline]
 __se_sys_exit_group kernel/exit.c:1097 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1097
 x64_sys_call+0x14a9/0x16a0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffffc9000fa06580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000fa06600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000fa06680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                     ^
 ffffc9000fa06700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000fa06780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	b8 ff ff ff ff       	mov    $0xffffffff,%eax
   7:	65 0f c1 05 0c eb 13 	xadd   %eax,%gs:0x7913eb0c(%rip)        # 0x7913eb1b
   e:	79
   f:	83 f8 01             	cmp    $0x1,%eax
  12:	75 2d                	jne    0x41
  14:	9c                   	pushf
  15:	58                   	pop    %rax
  16:	f6 c4 02             	test   $0x2,%ah
  19:	75 43                	jne    0x5e
  1b:	48 f7 04 24 00 02 00 	testq  $0x200,(%rsp)
  22:	00
  23:	74 01                	je     0x26
  25:	fb                   	sti
  26:	48 83 c4 08          	add    $0x8,%rsp
* 2a:	44 89 e8             	mov    %r13d,%eax <-- trapping instruction
  2d:	5b                   	pop    %rbx
  2e:	5d                   	pop    %rbp
  2f:	41 5c                	pop    %r12
  31:	41 5d                	pop    %r13
  33:	41 5e                	pop    %r14
  35:	41 5f                	pop    %r15
  37:	c3                   	ret
  38:	cc                   	int3
  39:	cc                   	int3
  3a:	cc                   	int3
  3b:	cc                   	int3
  3c:	45 31 ed             	xor    %r13d,%r13d
  3f:	eb                   	.byte 0xeb

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/22 19:32 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing c6d9e43954bf a93682b3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb KASAN: out-of-bounds Read in stack_not_used
* Struck through repros no longer work on HEAD.